Gartner recently announced a new category in their cybersecurity technology analysis called Security Operations, Analytics, and Reporting. On occasion, you will also hear cybersecurity professionals call it SOAPA (security operations analytics platform architecture) instead, perhaps because they want to punish us with yet another cybersecurity acronym, but pay them no mind, Gartner calls it SOAR and so should we. In a sense, SOAR really can help your CSOC feel like it has wings. SOAR is a security reporting and operations platform that uses machine-readable data from a wide range of different sources to provide management, analysis and reporting capabilities in support of cybersecurity analysts. SOAR platforms apply decision making logic, combined with context, to provide formalized workflows and enable the informed triage of cybersecurity remediation tasks. SOAR platforms provide the actionable intelligence that you need to stay on top of your workflow.
What’s The Difference Between SOAR vs SIEM?SIEM has been around for some time and during that time it has evolved from being a security event correlation tool to a security analytics system. Traditionally SIEM is the practice of aggregating your security logs and events, to give you visibility into what is happening in your organization from a cybersecurity perspective. Evolution of the tools we use is a continuous process and while the alerts of suspicious behaviour are necessary, the real goal is to act as quickly and effectively as possible to that alert. While a traditional SIEM will let you know something is going down on your networks, SOAR platforms enable you to act on that information. SOAR gathers together and consolidates all of the data from your security applications and threat intelligence feeds, but goes a step further than SIEM by enabling you to automate your responses and coordinate automated security tasks across your connected applications and processes. SOAR enables you to aggregate third-party threat intelligence from multiple sources while giving you the ability to develop playbooks consisting of quality, actionable activities in response to any threats.
How Can SOAR Help A Cybersecurity Analyst?Physicist William Pollard once said that "Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit” and this doubly applies in the cybersecurity space. What is most remarkable about this 19th-century quote is that it succinctly describes a problem that most modern will CSOC teams face at some point. Very often CSOC analysts can become overwhelmed by the sheer amount of alerts and information they have available to them, often spread across different systems. A large part of your average CSOC analysts time is spent sifting through the information in order to organize and present it in a way that is conducive to decision making. This is where SOAR comes in and seeks to unburden CSOC analysts from these tasks, freeing them up to focus on higher priority work and delivering a measurable return on investment over a relatively short period of time. It's worth mentioning that the best SOAR platforms are those that can show that can demonstrate they are delivering an ROI and typically you should expect to see a clear 15%+ saving on your cybersecurity teams time.
What Capabilities Should A Modern SOAR Platform Have?Endpoint Detection & Response - After prioritizing security alerts, security analysts then want to dig deeper into incidents by investigating and monitoring endpoint behaviour, making endpoint detection and response (EDR) a critical part of any SOAR platform.
Vulnerability Management - Part of a SOC analysts job is knowing which alerts need to be prioritized and managed, these decisions are typically driven by vulnerability management capabilities of a SOAR platform and based on live data.
Threat Intelligence - Integrate SOAR into any number of threat intelligence platforms and sources to enable analysts to quickly compare potential threats against known threats.
Case Management Based Incident Response - Analysts collect, process and analyze security data, but they need to be able to leverage that in order to prioritize alerts and respond to threats as quickly as possible. The incident response capabilities of a SOAR platform are critical to this.
Playbook Management - Because SOAR platforms are geared towards incident response, an essential part of SOAR is the ability to create and manage playbooks that align with your incident response policies and streamline your incident response processes.